Penetration Testing Report Client: Business Solutions June 15 th 2015



Similar documents
Penetration Test Report

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Penetration Testing with Kali Linux

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

SAST, DAST and Vulnerability Assessments, = 4

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Vulnerability Assessment and Penetration Testing

Penetration Test Report

Windows Remote Access

External Network Penetration Test Report

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Cyber Essentials. Test Specification

Exploiting Transparent User Identification Systems

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Five Steps to Improve Internal Network Security. Chattanooga ISSA

A Decision Maker s Guide to Securing an IT Infrastructure

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Protecting Your Organisation from Targeted Cyber Intrusion

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Information Security Services

IBM. Vulnerability scanning and best practices

Where every interaction matters.

!!!!!!!!!!!!!!!!!!!!!!

Understanding Security Testing

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

The Trivial Cisco IP Phones Compromise

SANS Top 20 Critical Controls for Effective Cyber Defense

Client logo placeholder XXX REPORT. Page 1 of 37

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

GFI White Paper PCI-DSS compliance and GFI Software products

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Installing and Configuring Nessus by Nitesh Dhanjani

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

IBM Managed Security Services Vulnerability Scanning:

Metasploit The Elixir of Network Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Learn Ethical Hacking, Become a Pentester

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

AN OVERVIEW OF VULNERABILITY SCANNERS

SCP - Strategic Infrastructure Security

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

V ISA SECURITY ALERT 13 November 2015

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Rapid Vulnerability Assessment Report

4. Getting started: Performing an audit

IT HEALTHCHECK TOP TIPS WHITEPAPER

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

1. Why is the customer having the penetration test performed against their environment?

CDM Vulnerability Management (VUL) Capability

Penetration Testing Walkthrough

Hands-on Hacking Unlimited

Locking down a Hitachi ID Suite server

Penetration Testing - a way for improving our cyber security

Commissioners Irving A. Williamson, Chairman Daniel R. Pearson Shara L. Aranoff Dean A. Pinkert David S. Johanson Meredith M.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Medical Device Security Health Group Digital Output

Penetration Testing. Presented by

Network Security Audit. Vulnerability Assessment (VA)

STABLE & SECURE BANK lab writeup. Page 1 of 21

Nixu SNS Security White Paper May 2007 Version 1.2

Xerox Mobile Print Cloud

Setting Up Scan to SMB on TaskALFA series MFP s.

Information Security Office

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

The Nexpose Expert System

FREQUENTLY ASKED QUESTIONS

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Metasploit ing the target machine is a fascinating subject to all security professionals. The rich list of exploit codes and other handy modules of

DiamondStream Data Security Policy Summary

Microsoft Baseline Security Analyzer (MBSA)

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Payment Card Industry (PCI) Data Security Standard

Columbia University Web Security Standards and Practices. Objective and Scope

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

How to Grow and Transform your Security Program into the Cloud

Network and Host-based Vulnerability Assessment

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

Transcription:

Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com Web: www.acumen-innovations.com

Penetration Testing Report Business Solutions Table of Contents 1.0 - Executive Summary... 2 2.0 - Narrative... 3 2.1 - Reconnaissance... 3 2.2 First Phase... 4 2.3 Second Phase... 5 2.4 Third Phase 7 3.0 - Conclusion... 10 4.0 - Recommendations... 10 Appendix A: Risk Rating Scale... 12 Appendix B: Vulnerability Details and Mitigation....13 Appendix C: Tools Used.....14 Acumen Innovations Penetration Test 1

1.0 - Executive Summary Penetration Testing Report Business Solutions We were contracted by Business Solutions in order to conduct a thorough penetration test of their public infrastructure and determine what kind of access a malicious attacker could attain. Specifically, Business Solutions was interested in the following: - Determining whether an external attacker could find an entry point into the internal network - If a path was found, determine: o What systems the attacker could reach o If the confidentiality/integrity of confidential system information would be compromised The attacker was modeled after a regular Internet user with no previous knowledge of the company. The only information provided was a domain name, and only the server hosting this application was within the scope of work. Through a series of vulnerabilities, we managed to get past the perimeter defenses and into the server. Further network discovery was done in order to obtain a picture of the network configuration and further the attack. During the internal discovery phase, it was discovered that the breached structure was part of an internal network which contained multiple devices. We focused our attention on a machine which appeared to be the Human Resources computer. This target was chosen because it seemed likely that it would host confidential information about company personnel and was therefore deemed a high value target. Further exploitation of the target system resulted in complete control over the HR computer, along with additional credentials that could be used to further the attack. At this point however, it was determined that enough control had been obtained in order to successfully demonstrate the seriousness of the vulnerabilities found. The assessment was conducted in a controlled manner following the recommendations outlined in NIST SP800-115. Acumen Innovations Penetration Test 2

2.0 - Narrative Penetration Testing Report Business Solutions 2.1 - Reconnaissance Figure 1: Initial view of the target The first step of the penetration test was to gather information about our target using the starting point given, which is the url. The web application is examined for vulnerabilities and port scans were done in order to identify what ports where open and what services where listening. The port scan revealed two publicly accessible services running; a web server running on port 80 and an ftp server listening on port 21. Figure 1.1 Nmap indicates the presence of a network level firewall filtering probes to other ports. FTP and Web servers are both exposed to the public. Acumen Innovations Penetration Test 3

Penetration Testing Report Business Solutions Service version enumeration was accomplished through banner grabbing and it yielded an apache web server and a proftp server both running outdated versions. As previous proftp versions contained several vulnerabilities, this was chosen as our target. 2.2 First Phase - Compromise Public Server After studying the ftp application, two vulnerabilities were discovered. The first was a publicly known exploit on the mod_copy module which enabled unauthenticated users to move files within the server. This enabled us to move the /etc/passwd file, and due to a permissions misconfiguration, move the /etc/shadow file as well. Figure 2 Improper file permissions yielded access to the shadow file which contained hashed passwords for company executives. An attempt to crack the hash in the shadow file provided no results, at which point we went back to carefully study the ftp application and we identified a previously unknown vulnerability. The proftp application did not seem to strip invalid characters from the username parameter before recording the login attempt to the access.log file. This enabled us to inject a short piece of php which, when executed, would upload a reverse connect shell from our server to theirs. Figure 2.1 The username parameter in Proftp 1.3.5rc3 did not properly sanitize user input before passing it to auth.log Using the first vulnerability, the log file was moved to the root web folder and renamed upload.php. This way it would be treated as a php script when called which would execute the previously injected php code and upload our shell. Acumen Innovations Penetration Test 4

Penetration Testing Report Business Solutions A listener was set up and when the file was called we obtained a reverse shell with the privilege of the www-data user. Figure 2.2 By leveraging a known and unknown vulnerability, a shell was successfully uploaded into the public server. This allowed us to upload more tools to further the attack. 2.3 Second Phase - Pivot With an interactive shell on the server we had the permissions of the www-data user. Rather than attempt to escalate privileges, here we focused on further network discovery and studying what other applications were on the server. Since no developer tools were found on the server, a bash script was uploaded and used (See appendix D) to get more information about the system. Results showed an SQL database and SSH server listening on ports 3306 and 22. Figure 3.0 Once behind the network firewall, reconnaissance of the server revealed a MySQL database and SSH server running locally. Acumen Innovations Penetration Test 5

Penetration Testing Report Business Solutions This indicated a network level firewall was in place which had dropped our previous scans to those ports. During the scan, a Windows machine was identified using the open and closed ports, as well as NetBIOS. Enumeration revealed a wealth of information, such as the machine having shared folders, computer name and more. This was chosen as our target as the name indicated it would be a high value target. Figure 3.1 A scan done from the compromised system revealed it was part of an internal network, and use as our pivot to enumerate the internal environment. The system located at 192.168.255.3 had a telnet server, NetBios, remote desktop and more listening. The computer name indicated that this machine belonged to a human resources staff member, which made it a valuable target due to confidential files stored within it. Further OS fingerprinting revealed this was a Windows XP SP3 machine which was important because Microsoft stopped all support for the XP platform on April 8th 2014, meaning any vulnerabilities discovered after this date would be unpatched. Investigation into the listening services revealed port 445 on this computer was vulnerable to MS Spools CVE-2010-2729, a vulnerability in the drivers for shared printer configuration in various versions of Windows. If exploited, this could lead to complete system compromise. Before we could attack this machine, we had to bypass the network firewall and forward our traffic to port 445. In order to achieve this, all communications were routed through the compromised server and therefore attacked the HR computer from behind the firewall and inside the network. Acumen Innovations Penetration Test 6

Penetration Testing Report Business Solutions Figure 3.2 - Pivoting to the internal target was accomplished by routing all outside communications through the compromised server. After setting up the pivot, the next step was to compromise the computer. 2.4 Third Phase - Compromise HR Using a publicly available exploit, the MS spools vulnerability was triggered and a meterpreter shell chosen as the payload. Under normal circumstances, MS08-061 will not provide a remote user control over the computer because it creates the payload but is unable to execute it remotely. To bypass this restriction, the file is written to a directory used by Windows Management Instrumentation. This directory is periodically scanned and any.mof files are processed automatically. This exploit was successfully executed, giving us control over the user s computer. Acumen Innovations Penetration Test 7

Penetration Testing Report Business Solutions 4.0 A vulnerability in the outdated and unsupported Windows XP operating system not only gave us access but also allowed us to dump all user hashes to be used in further attacks. A hash dump was done and various password hashes were collected for cracking. Finally, A VNC server was injected into the victim s computer to get a desktop view of the user. Figure 4.1 At this point, the VNC server was used to observe the actions of the target and learn more about the company. Acumen Innovations Penetration Test 8

Penetration Testing Report Business Solutions At this stage, a malicious attacker could further the attack by: - Using the internal systems behind the firewall to distribute backdoors to other areas of the network - Carrying out targeted attacks against any and all employees through information found on the computer, - Destruction and/or stealing of sensitive employee and company data - Distribution of malicious client side code via Business Solutions web page - Leveraging web server access to conduct attacks against Business Solutions partners and clients that maintain a trusting relationship with the company It was therefore determined that although these steps were possible, they were outside the current scope of work. We had successfully shown a direct path from a public server into the company s internal resources including databases and an HR personnel computer, exposing data that could be used to further attacks and compromising all system integrity and confidentiality with the ability to affect availability as well. Figure 4.1 A sequence of vulnerabilities allowed us to bypass network level firewalls to compromise a server on the internal network which was leveraged as a pivot to compromise further hosts on the internal network. Acumen Innovations Penetration Test 9

3.0 - Conclusion Penetration Testing Report Business Solutions Through a series of vulnerabilities, we were able to gain administrative access to critical system resources of Business Solutions internal network. These vulnerabilities would have had a catastrophic impact on Business Solutions day to day activities had they been exploited by a malicious attacker. The outdated software used to exploit the system along with incorrect file permissions indicates a series of failures in software deployment, server management and the patch management program. The project scope for this test was the following: - Determine whether an external attacker could find an entry point into the internal network - If a path was found, determine: o What systems the attacker could reach o If the confidentiality/integrity of confidential system information would be compromised As demonstrated above, these goals were all met. An attack against Business Solutions resulted in complete loss of integrity and confidentiality of personal employee information, as well as access to various company assets. The breach of Business Solutions internal networks can be greatly attributed to flaws in its patch management program and insufficient access controls at the network level. Review of the patch management process and network boundary segmentation must be implemented in order to mitigate the vulnerabilities exploited during the penetration test. 4.0 - Recommendations Due to the severity of the impact our attack would have had on the overall organization, it is recommended that sufficient resources be allocated to remediate both external and internal network vulnerabilities in a timely manner. While this engagement was not done to provide a comprehensive list of all security vulnerabilities and solutions, the following actions are recommended: 1. Implement/Review Patch Management Process Outdated versions of software were found both externally and internally, indicating a lack of a patch management process. Maintaining and updating a patch management program in accordance to NIST SP 800-40 is a necessary component in reducing a company s attack surface. 2. Establish trust boundaries External and internal networks should be separated by different trust boundaries, with packet filtering controls at the nodes in order to reduce an attacker s access to company information. Separate segmented networks should be implemented for different departments within a company to mitigate the risk of an internal compromise having a cascading effect on the rest of the company. 3. Review file permissions and use least-privilege principle The shadow file was accessible because of incorrect file permission settings. Under a default configuration, the shadow file is not accessible to anyone other than the root user. Contents indicated two users with high privilege. Different restricted privilege accounts should be created for all users using the server in order to control impact if one is breached. 4. Conduct regular vulnerability assessments Regular vulnerability assessments are needed for the timely discovery and patching of new previously undiscovered vulnerabilities. For more information on operating an effective risk management program, please consult NIST SP 800-30. Acumen Innovations Penetration Test 10

Risk Rating Penetration Testing Report Business Solutions Because a direct path from a public structure to a confidential and internal part of the network was discovered during the penetration test, we have determined the overall risk rating for Business Solutions is High. There are multiple paths an external attacker could take in order to compromise internal resources which would impact the systems availability, integrity and confidentiality. Acumen Innovations Penetration Test 11

Appendix A: Risk Rating Scale Penetration Testing Report Business Solutions In accordance with our internal risk assessment scale which follows the guidelines set forth in NIST SP800-30, vulnerabilities are categorized using the following rating system: Likelihood of threat event occurrence The following definitions are used when describing the likelihood of adversarial threat occurrence: Critical An adversary is almost certain to exploit the vulnerability and initiate the threat event. Minimal skill is required and/or automated tools are readily available to exploit. High An adversary is highly likely to exploit the vulnerability and initiate the threat event. Minimal skill is required. Medium An adversary is somewhat likely to exploit the vulnerability and initiate the threat event. Some skill required and/or favorable circumstances required. Low An adversary is unlikely to exploit the vulnerability and initiate the threat event. High level of skill and determination is required. Likelihood threat event results in adverse impacts The following definitions are used when describing the likelihood that vulnerability exploitation will have adverse impacts on the system: Critical If a vulnerability is exploited, it is certain it will have adverse impact on the system. High If a vulnerability is exploited, it is highly likely to have adverse impacts on the system. Medium If a vulnerability is exploited, it is somewhat likely to have adverse impacts on the system. Low If a vulnerability is exploited, it is unlikely to have adverse impacts on the system. Figure 1.0 Assessment Scale Overall Likelihood Likelihood of Threat Event Occurrence Likelihood Threat Events Result in Adverse Impacts Low Medium High Critical Critical Moderate High Critical Critical High Moderate Moderate High Critical Medium Low Moderate Moderate High Low Low Low Moderate Moderate Low Manage by routine process Moderate Mark as Priority High Immediate Attention Required Critical Execute mitigation strategy immediately Acumen Innovations Penetration Test 12

Appendix B: Vulnerability Details and Mitigation Penetration Testing Report Business Solutions Patch Management Process Rating: Description: Impact: Mitigation: High Both external and internal networks contained unpatched software. An outdated ProFTP server allowed us access to the internal network where we were able to pivot to access an unpatched Windows XP host. A combination of high impact public exploits and low impact undiscovered vulnerabilities in the software allowed us access to confidential employee data. The patch failures in both instances indicates an absence of a complete patch management plan including process and execution. Both internal and external network hosts must be constantly kept up to date with vendor security patches. This can be accomplished through third party tools for large environments. For more information, please refer to NIST SP-800-40. File Permissions Rating: Description: Impact: Mitigation: High The shadow file in the external host was readable by the www-data user. The shadow file in the deployed Debian server stores all the salt and password hashes for the user accounts in the system. It is used for user authentication, and therefore should not be readable by anyone other than root. Access to this file will supply malicious attackers with password hashes which, if recovered, will lead to root control of the server and potentially other systems if the credentials are reused. Shadow file permissions should be set to 400 to disable anyone but root to be able to read the file. Least Privilege Principle Rating: Description: Impact: Mitigation: High Analysis of the Windows XP password hashes revealed the current user has local administrative rights. Having only a single account with administrative rights means there was no need for further local privilege escalation. Once the host was compromised we had complete read, write and execution control over any and all files within system. All hosts should be set up using the least privilege principle, in which a user should be given no more privilege than absolutely required to do their job. This way, if the restricted account is compromised, the attacker will have to further escalate privileges in order to have control of the system Acumen Innovations Penetration Test 13

Appendix C: Tools Used Penetration Testing Report Business Solutions Internal network scanner #!/bin/bash printf "Acumen Innovations - Subnet Discovery script \n" printf "\n[*]current user: \n \n" echo `id -a` printf "\n[*]local Kernel version: \n \n" echo `uname -r` printf "\n[*]tcp Open ports on localhost: \n \n" eval netstat -tnlp printf "\n[*]starting Subnet discovery: \n \n" for ip in 192.168.255.{0..255}; do ping -c 1 -W 1 $ip > /dev/null 2> /dev/null; if [ $? -eq 0 ]; then printf "\n[!]${ip} is up"; printf "\n[*]attempting nbtscan...\n" eval nbtscan -q -v ${ip} printf "\n Open ports on ${ip}: \n" nc -v -n -z -w1 -r $ip 20-30, 53, 110-140, 143, 3389, 8080, 8888, 443, 445, 5900, 3306, 1433 fi done Acumen Innovations Penetration Test 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information